SailPoint IdentityIQ and EPM

This document provides the steps required to configure the integration between SailPoint IdentityIQ and Endpoint Privilege Management for Windows and Mac.

Create the IdentityIQ Service Account in EPM

1. Log on to the EPM web console as an Administrator.
2. Go to Configuration, and then API Settings.
3. Create an API account for IdentityIQ.

 

Configure SCIM Application in IdentityIQ for EPM

You must log on to IdentityIQ using administrator credentials.

1. Go to Applications, and then Application Definition.
2. Click the Add New Application button.

 

3. From the Application Type menu, select SCIM 2.0. Provide a name for the application.

 

4. On the Configuration tab, provide the base URL and token URL. Select Client Credentials for Grant type. Enter the client ID and secret for the svc_iiq API account.

If the instance URL is https://pmc01.acme.somedomain.net then the API URLs are based on https://pmc01-services.acme.somedomain.com.

 

5. Try testing the connection at this point.

6. Go to the Schema tab.
7. Click Discover Schema Attributes for Object Type: account.
8. The attributes discovered for account are shown.

 

9. Delete extra attributes and keep the attributes shown here.

 

10. Discover the schema attributes for roles, and keep the attributes as shown.

 

11. Click Provisioning Policies.
12. Click Add Policy, and then click Create Policy Form.

13. Click Add Section, then + on the new Section and Add Field. The first field is userName which maps to email address. Click Apply.

    The script format: return identity.getAttribute("email");

 

14. Set the attribute name.givenName. Click Apply.

 

15. Set the attribute name.familyName. Click Apply.

 

16. Set the attribute email. Click Apply.

 

17. Set the attribute displayName. Click Apply.

 

18. Set the attribute active. Click Apply.

 

19. Set the attribute locale to static, and Value to en-US or en-GB. This can be mapped to an Identity attribute, if available.

 

20. Set the attribute timezone to static value. This can be mapped to an Identity attribute, if available.

 

21. Provide a form name and description, and then save the form. Don’t forget to save the application.
22. Edit the application again, and go to Correlation.
23. Create a correlation rule. Save the application.

24. Create the aggregation task for EPM. Navigate to Setup, then Tasks.
25. Click the New Task menu, then select Account Aggregation.

 

26. Configure the task to scan PM Cloud. Scroll to the bottom of the page and click Save and Execute.
27. Confirm the Task result is Success.

 

28. Create a group aggregation task for roles, and filter for only the roles type. Click Save and Execute, and confirm the task executed successfully.

 

29. Go back to the application and select the Accounts tab.

30. Review the discovered or aggregated accounts together with roles.

 

31. Go to Applications, then Entitlement Catalog. Use Advanced Search to filter for the application. The screen capture shows the discovered roles.

 

32. Go to Applications, then Entitlement Catalog. Use Advanced Search to filter for the Application. The screen capture shows the discovered roles.

Only roles are requestable. Entitlements are read-only in the current RBAC model.

33. Select a user that does not yet have access to EPM from the menu in the upper left corner. Select Manage Access, and then Manage User Access.

34. Select a test user on the Manage User Access. Click Next.

 

35. Select a role under the EPM Application. Click Next.

 

36. Click Submit.
37. The request should be in Verifying mode.

38. Confirm the new user is added in EPM.

 

39. Go to the Application Accounts tab and view the user application account and roles.